From: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities
Date: Tue, 13 Nov 2018 21:57:23 +0100 [thread overview]
Message-ID: <46b613b6-37c7-2f94-e8bc-ddc4b07cce60@gmail.com> (raw)
In-Reply-To: <20181106145150.GC10037@lambda.inversepath.com>
On 06.11.2018 15:51, Andrea Barisani wrote:
> [..]
> The issue can be exploited by several means:
>
> - An excessively large crafted boot image file is parsed by the
> `tftp_handler` function which lacks any size checks, allowing the memory
> overwrite.
>
> - A malicious server can manipulate TFTP packet sequence numbers to store
> downloaded file chunks at arbitrary memory locations, given that the
> sequence number is directly used by the `tftp_handler` function to calculate
> the destination address for downloaded file chunks.
>
> Additionally the `store_block` function, used to store downloaded file
> chunks in memory, when invoked by `tftp_handler` with a `tftp_cur_block`
> value of 0, triggers an unchecked integer underflow.
>
> This allows to potentially erase memory located before the `loadAddr` when
> a packet is sent with a null, following at least one valid packet.
Do you happen to have more details on this suggested integer underflow?
I have tried to reproduce it, but I failed to get a memory write address
before 'load_addr'. This is because the 'store_block' function does not
directly use the underflowed integer as a block counter, but adds
'tcp_block_wrap_offset' to this offset.
To me it seems like alternating between '0' and 'not 0' for the block
counter could increase memory overwrites, but I fail to see how you can
use this to store chunks at arbitrary memory locations. All you can do
is subtract one block size from 'tftp_block_wrap_offset'...
Simon
next prev parent reply other threads:[~2018-11-13 20:57 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 14:51 [U-Boot] CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities Andrea Barisani
2018-11-09 0:37 ` Fabio Estevam
2018-11-09 6:11 ` Simon Goldschmidt
2018-11-09 9:46 ` Andrea Barisani
2018-11-09 10:24 ` Simon Goldschmidt
2018-11-09 21:25 ` Simon Goldschmidt
2018-11-09 22:14 ` Fabio Estevam
2018-11-11 14:22 ` Wolfgang Denk
2018-11-11 23:21 ` Heinrich Schuchardt
2018-11-12 6:56 ` Simon Goldschmidt
2018-11-12 18:03 ` Heinrich Schuchardt
2018-11-12 18:58 ` Simon Goldschmidt
2018-11-12 8:00 ` Wolfgang Denk
2018-11-13 20:57 ` Simon Goldschmidt [this message]
2018-11-14 11:52 ` Andrea Barisani
2018-11-14 12:03 ` Simon Goldschmidt
2018-11-14 14:45 ` Andrea Barisani
2018-11-14 15:13 ` Simon Goldschmidt
2018-11-14 15:26 ` Andrea Barisani
2018-11-14 15:35 ` Daniele Bianco
2018-11-14 15:51 ` Simon Goldschmidt
2018-11-14 19:07 ` Simon Goldschmidt
2018-11-14 23:36 ` Joe Hershberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46b613b6-37c7-2f94-e8bc-ddc4b07cce60@gmail.com \
--to=simon.k.r.goldschmidt@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox